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Foreword 



It was our great pleasure to extend a welcome to all who participated in SERA 2003, 
the first world-classs International Conference on Software Engineering Research and 
Applications, which was held at Crowne Plaza Union Square Hotel, San Francisco, 
California, USA. The conference was sponsored by the International Association for 
Computer and Information Science (ACIS), in cooperation with the Software Engineer- 
ing and Information Technology Institute at Central Michigan University. 

This conference was aimed at discussing the wide range of problems encountered 
in present and future high technologies. In this conference, we had keynote speeches by 
Dr. Barry Boehm and Dr. C.V. Ramamoorthy and invited talks by Dr. Raymond Yeh, Dr. 
Raymond Paul, Dr. Mehmet §ahinoglu, which were fruitful to all who participated in 
SERA 2003. 

We would like to thank the publicity chairs and the members of our program com- 
mittees for their work on this conference. We hope that SERA 2003 was enjoyable for 
all participants. 



C.V. Ramamoorthy 




Preface 



It was indeed our pleasure to welcome all of you to the 1st ACIS International Conference 
on Software Engineering Research and Applications (SERA 2003), June 25-27, 2003, 
Crowne Plaza Union Square Hotel, San Francisco, California, USA. SERA 2003 fea- 
tured excellent theoretical and practical contents contributed by the international com- 
munity in the areas of formal methods and tools, requirements engineering, software 
process models, communication systems and networks, software quality and evaluation, 
software engineering, networks and mobile computing, parallel/distributed computing, 
component- based software development, artificial intelligence and applications, soft- 
ware testing, reuse and metrics, database retrieval, HCI, software standards, computer 
security, software architectures, and modeling. 

We received 104 papers (our Program Co-chair Prof. Kyung Whan Lee received 45 
papers and Prof. Roger Lee received 59 papers) from 22 different countries around the 
world for possible presentation at the conference. Among those papers, a large number 
were high-quality paper submissions. Three reviewers reviewed each paper. After the 
completion of the peer-review process, our International Program Committee selected 53 
papers, which gave about a 49% acceptance rate for publication in the ACIS conference 
proceedings. Of the 53 presented papers at the conference our international program 
committee selected 23 outstanding papers for publication in Springer’s LNCS as the 
post-conference proceedings. 

We would like to express our sincere appreciation to the following people for con- 
tributing to the success of this conference: Dr. C.V. Ramamoorthy, conference chair; 
Dr. Barry Boehm and Dr. C.V. Ramamoorthy, our keynote speakers; Dr. Raymond Yeh, 
Dr. Raymond Paul and Dr. Mehmet §ahinoglu, our invited speakers; the publicity chairs 
and the International Program Committee members who rose beyond the call of duty, 
contributing a large percentage of their time; the referees who accepted the last-minute 
requests for extra reviews; the session chairs who presided over the sessions; all the 
authors, attendees, and presenters who really made this conference possible and suc- 
cessful; Prof. Dr. Walter Dosch for his extra time and effort in communicating with 
Springer- Verlag about LNCS post-conference proceedings; and, finally, the editorial 
staff at Springer- Verlag. Furthermore, we would like to extend special thanks to Alfred 
Hofmann of Springer- Verlag who made this publication possible. 



Roger Y. Lee 
Kyung Whan Lee 
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Keynote Address 



Balancing Agility and Discipline: 
A Guide for the Perplexed 



Barry Boehm 



Director, USC Center for Software Engineering 
TRW Professor of Software Engineering 
Computer Science Department 
University of Southern California 
Los Angeles, CA 90089 



Future software applications increasingly need the agility to adapt to rapid change and 
the discipline to provide dependable software-intensive products and services. Con- 
siderable perplexity currently reigns in assessing the ability of agile methods such as 
Extreme Programming, Scrum, Crystal, and Adaptive Software Development in pro- 
viding both agility and discipline, in comparison with the use of plan-driven methods 
oriented around the use of frameworks such as the software Capability Maturity 
Model (CMM) and the CMM-Integrated (CMMI). 

This presentation, based on a forthcoming Addison Wesley book with Richard 
Turner, "Balancing Agility and Discipline: A Guide for the Perplexed," will examine 
the sources of this perplexity, and will assess the relative "home grounds" of agile and 
plan-driven methods: the range of software applications, management, technical, and 
personnel characteristics for which the two classes of methods work best. It will also 
summarize two case studies showing how a project can succeed by starting from an 
agile or disciplined method and adding aspects of the complementary method. 

The presentation will then provide five scales which a project or organization can 
use to determine how well it fits the use of agile or disciplined methods: size, critical- 
ity, personnel capability, dynamism, and organizational culture. It will provide and 
illustrate by example projects a risk-based approach by which a project can use its 
risk patterns to tailor an appropriate mix of agile and plan-driven methods to cope 
with the risks. It will conclude by summarizing an approach by which organizations 
can assess their current and future needs for agility and discipline, and can develop a 
cost-effective strategy for adapting their organizations to meet their particular combi- 
nation of needs for agility and discipline. 
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Keynote Address 



A Study of Feedback 

in Software Supported Networked Systems 

C.V. Ramamoorthy 

Professor Emeritus, University of California, Berkeley 
Sr. Research Fellow, ICC Institute, The University of Texas, Austin 
ram@cs . berkeley.edu 



The purpose of this paper is to study the concept of feedback in software supported 
networked devices, appliances and systems. These systems use system generated 
feedback signals (requests) to obtain help from external service providers/vendors 
during system/application emergencies and other contingencies. Similar techniques 
are also used to keep external entities appraised of the system’s progress and health. 
Future systems, including appliances, devices and complex entities operated by hu- 
mans would be networked and would be allowed to interact amongst themselves as 
well as with service providers under well-defined specified but constrained condi- 
tions. We explore many advantages and opportunities obtainable through the use of 
external services triggered by feedback from the system. These services include real 
time maintenance, troubleshooting and diagnosing the causes of failures, recovery 
from failures, operational support and help, protection against security and safety 
infringements, congestion and conflict resolution, overload help through resource 
sharing etc. Currently in certain network products, a technique of reverse feedback 
(from the service provider to the system) is in vogue. Some networked products, 
namely those by Microsoft and IBM, request and receive periodic updates and revi- 
sions directly from their vendors. These functions provide the customer with better 
quality of service and extend the longevity of the system. These also bring the con- 
sumers closer to the product developers by suggesting future needs, opinions, im- 
provements and refinements. 

In this presentation we generalize the concept of feedback generation and process- 
ing in a networked environment and study many of its ramifications and issues. We 
categorize the feedback types with examples. We trace the life cycle of a feedback- 
generated request from the time of its creation to the point where the request is con- 
summated, exploring and exposing the varieties of issues on the way. 

We show such systems emphasize continued automation of services, which can re- 
place many user-operated chores. In particular, we discuss parallel multiple diagnosis, 
the concept of checking the checkers, resource sharing by reconfiguration in overca- 
pacity-systems, or via grid or cluster protocols, replacing a failing executing environ- 
ment with a virtual healthy replacement, etc. We develop some models and methods 
of web-based service support. We describe and explore techniques such as non- 
intrusive shadow and standby programming and porous programming and their appli- 
cations to reliable and secure feedback supported systems. We conclude by identify- 
ing challenging problems and research issues. 
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Invited Talk 



Why Great Organizations Are Great? 
The Art of Business 



Raymond T. Yeh 

Senior Research Fellow 
ICC Institute 
The University of Texas 
Austin, Texas 



This presentation will share a study, being documented in a forthcoming book of the 
same title that answers this question. Our research discovered that a Great organiza- 
tion must first of all have a soul, which creates meaning for people working there. 
Such an organization knows where it is going and somehow always seems to flow 
with the changing world outside to get there in time. A Great organization smartly 
leverages on its environment, including its competitors, to make sure that its re- 
sources are effectively and efficiently utilized. It is also the master of its trade by 
being consistently on the edge while maintaining balances. Finally, a Great organiza- 
tion is made of leaders who help to actualize the organization’s vision by aligning 
their own dreams to it. 

Great organizations studied here spread around the globe including for-profit, non- 
profit, mature and young organizations. The practice of these strategic arts will help a 
company to charter a steady course in the quest for its vision and can resist tempta- 
tions/pressures from its environment. For example, our society’s focus on short term 
bottom-line many times causes a company to lose its soul as evidenced by Enron, 
WorldCom, Andersen Consulting, etc. This talk will also explore insights of great 
leaders in the application of these arts to guide their organizations to unprecedented 
successes. 
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Invited Talk 



Future of Computer Software Systems: 
Commodity or Service? 



Raymond Paul 

Department of Defense 
Washington, DC 



Web Services (WS) received significant attention recently by government agencies 
and computer industries. WS provides a new architecture/paradigm for building dis- 
tributed computing applications based on XML. It provides a uniform and widely 
accessible interface to glue the services implemented by the other middleware plat- 
form over the Internet by utilizing standard Internet protocols such as WSDL, SOAP 
and UDDI. 

While WS is still early in its maturing processes, many issues still need to be ad- 
dressed, e.g., finalizing draft specifications, runtime verification and validation, and 
quality assurance by the UDDI servers, many keen observers agree that WS represent 
a new significant trend for software systems integration that will be developed, struc- 
tured, acquired, and maintained. For example, instead of buying and maintaining 
software, software can be leased and downloaded when needed. Thus, in this way, 
software upgrade will be automated because the latest version will be used when the 
service is called at runtime. 

WS implementation also requires a loosely coupled architecture where new ser- 
vices can be added at runtime and old services can be replaced. Furthermore, vendors 
will compete to supply most dependable and/or marketable services on the web, and 
this also changes the way software industries earn their revenue. 

Quality assurance as well as security and privacy will be important for both service 
clients and providers including those serve as intermediate agents such as UDDI serv- 
ers. 

WS provide a new way for globalization where companies, regardless of their 
background such as nationalities, languages, and culture, must now compete in a 
global market where the only rule is interoperability via architecture and interfaces. It 
is no longer possible to have local or national markets where local companies can do 
well due to market segmentation. If a company does not compete in the service mar- 
ket globally, it will wither as soon as new replacement services are published on the 
web. This will increase the pace of global competition, and the companies that have 
the great software technology will win instead of the one that has the great financial 
resources only. 

Concepts of WS is far beyond software, in the future, hardware will also have a 
corresponding service where hardware vendors will supply new components to fit into 
existing well-published architecture for specific applications. 
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Invited Talk 



An Exact Reliability Block Diagram Calculation Tool 
to Design Very Complex Systems 



Mehmet §ahinoglu 

Fellow SDPS, Senior Member IEEE, ASA, Elected ISI Member 
Eminent Scholar & Chairman-Professor of Department of Computer & Information Science 
Troy State University Montgomery, Alabama 
mesa@tsum . edu 
http : / /www . tsum . edu/ -mesa 



In this study, the novel ERBDC method is introduced as a tool both to compute exact 
(s-t) reliability for a network, which is important in the design of even moderately 
sized networks, and to redesign an existing network. This talk examines very complex 
network designs or imbedded systems such as in the topology of an Internet service 
grid or a chip design for calculating s-node (source) to t-node (target) availability. The 
ERBDC method is a tool which reduces any complex system to a series reliability 
block diagram, by first finding all existing paths and then trimming all the redundant 
or protruding component duplications through an algorithm to finally calculate an 
exact reliability, favorably compared to conventionally employed upper bound calcu- 
lations (theoretically feasible but practically infeasible) with respect to path set and 
cut set formulations. All node to node availabilities are calculated. Then, weaker 
node to node paths are then reinforced and the resulting network designs are com- 
pared to the original ones in terms of node to node availability. 

All current exact computational algorithms for general networks are based on 
enumeration of states, minpaths or mincuts. However, the exponential size of enu- 
meration of tie sets or cut sets quickly becomes unmanageable as size (links and 
nodes) of the network grows. Hence, network reliability bounds, estimation or simula- 
tion is commonly used for non-trivial sized networks. The method used in this paper, 
Exact Reliability Block Diagram Calculation is an exact calculation tool for s-t reli- 
ability but tractable for large networks. As an example of this method, a Java applet 
first examines a simple LAN of 6 nodes and 7 links in the sample problem 1 . Then, a 
complex network exemplifying a popular WAN operation will be shown consisting of 
32 connections and 19 nodes as in the sample problem 2. Also, an application of the 
Sahinoglu-Libby probability distribution function (otherwise known as G3B) will be 
illustrated through a Java applet on how to sample historical failure and repair data to 
estimate the node and link reliabilities for the implementation of the ERBDC algo- 
rithm. 

The proposed method allows designers to see and investigate all possible paths be- 
tween all s-t nodes in a network as well as computing exact s-t reliabilities to make 
sensitivity analysis on any design obtained by a heuristic design algorithm. Thus, 
designers can reinforce their designs considering both reliabilities and costs of all 
components and links in an existing network being redesigned. The newly proposed 
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6 An Exact Reliability Block Diagram Calculation Tool to Design Very Complex Systems 



ERBDC method opens a new avenue to overcome the impasse of calculating the exact 
s-t reliabilities of very large complex systems, hence paving the way to conveniently 
and accurately redesigning and improving computer network reliability. This will 
consequently improve the quality of distributed network systems while mitigating the 
effects of poor software security. 




Computer-Aided Refinement of Data Structures 
on Higher-Order Algebraic Specifications 



Walter Dosch 1 and Sonke Magnussen 2 



1 Institute of Software Technology and Programming Languages 
University of Liibeck 

Ratzeburger Allee 160, D-23538 Liibeck, Germany 
2 Lufthansa Revenue Services, Application Management 
Schuetzenwall 1, D-22844 Norderstedt, Germany 



Abstract. The paper studies the transformational refinement of data structures 
in the framework of higher-order algebraic specifications. We present novel pro- 
cedures that mechanize the refinement of entire data structures within a single 
complex transformation step. The transformations validate a general refinement 
relation that captures different types of simulations. General transformation rules 
describe algebraic implementations based on abstraction and representation func- 
tions. Specialized transformations cover particular changes between data struc- 
tures. All transformation procedures have been implemented in the Liibeck Trans- 
formation System. The system uses analysis algorithms to establish the soundness 
conditions of the transformations by syntactic criteria. We report practical experi- 
ences about manipulating data structures with the system. The paper summarizes 
results from the second author’s PhD thesis [20] . 

Keywords: Higher-order algebraic specification, refinement of data structure, al- 
gebraic implementation, transformation system 



1 Introduction 



Formal methods offer a secure development process for software and hardware systems. 
The transformational approach [15] organizes the development as a sequence of rule- 
based steps refining a behavioural specification to an efficient realization. The derived 
implementation is correct by construction without a posteriori verification if the devel- 
opment uses sound transformation rules [2] respecting a semantic refinement relation. 

Transformation systems assist the programmer with various degrees of interaction. 
As standard services, they offer the safe manipulation of specifications following el- 
ementary transformation rules. Advanced transformation systems also support larger 
transformation steps where the user can concentrate on the essential design decisions. 
Chaining wide-spanned transformations results in compact derivations with an adequate 
degree of mechanization. 

The mechanization of the refinement of data structures in a transformation system 
faces both theoretical and practical problems. Combined data structures built by several 
basic modules along with functions operating on these combined data structures form 
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complex entities which must carefully be transformed by syntactic manipulations. The re- 
finement of data structures cannot be confined to transformations for single constituents; 
rather refinement steps generally affect the entire data structure and dependent functions. 
Further problems arise from complex semantic conditions that constrain many refine- 
ment steps to ensure their soundness. Here advanced analysis algorithms are needed to 
implement powerful sufficient syntactic criteria. The transformation of data structures 
has to be well understood, since it lays a semantic basis for transforming classes in 
object-oriented software design. 

In this paper we study the refinement of data structures for higher-order algebraic 
specifications with the particular aim to mechanize the refinement relation by transfor- 
mations. The approach is based on a novel refinement relation between specifications. 
It requires that all models of the refined specification can be retrieved as subalgebras of 
quotients of models from the original specification. This notion of refinement general- 
izes the model inclusion from predicate logic [12] to capture flexible changes between 
data structures. 

The refinement process can be mechanized to a certain degree; it has been imple- 
mented in the Liibeck Transformation System — a tool for the interactive development 
of software [9,20] . We present several mechanizable transformations for data struc- 
tures satisfying the semantic refinement relation. The application conditions are either 
verified automatically by analysing the specification or inserted as axioms into the spec- 
ification. These axioms serve as proof obligations which have to be handled during the 
development. The transformations capture the general approach of algebraic implemen- 
tations which can be specialized for particular situations like constructor enrichments or 
constructor implementations. 

Section 2 presents motivating examples which illustrate characteristic refinement 
steps for data structures. In Section 3 we survey the foundations of our approach to 
higher-order algebraic specifications. We concentrate on constructor generated models 
supporting a mechanization of the refinement steps. The general method of algebraic 
implementation is also applicable for non constructor generated specifications. Section 
4 first presents a general framework for the refinement of data structures using rep- 
resentation and abstraction functions. Then we establish that the four different types 
of simulations validate the refinement relation. Section 5 first presents a general trans- 
formation rule mechanizing the algebraic implementation of data structures, and then 
studies various special cases. We illustrate these transformation rules by revisiting the 
introductory examples. Section 6 surveys the refinement of data structures from a user’s 
view point as it is handled in the Liibeck Transformation System. 

Throughout the paper we assume that the reader is familiar with the basic notions of 
algebraic specifications [15,23] and data refinement [7] . 

2 Introductory Examples 

Algebraic specifications define data structures in an abstract way by naming the required 
sorts and function symbols together with their properties. During software development, 
the abstract sorts must be represented by the concrete types of a programming language; 
the function symbols must correctly be realized by algorithms in terms of the basic 
functions provided. 
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The refinement of algebraic specifications should document the design decisions 
made by successively adding implementation details to the abstract specification. There 
are general methods and specialized techniques for refining an abstract specification 
towards a concrete implementation [5], 

In this introductory section, we illustrate important refinement steps for algebraic 
specifications presenting simple, yet characteristic cases. The examples exhibit the 
changes which a data structure undergoes during various refinement steps. The illus- 
trating examples will be revisited in the formal treatment to follow. 



2.1 Basic Data Structures 

We present algebraic specifications for basic data structures like truth values and natural 
numbers to familiarize the reader with the notation. These specifications will be used as 
basic modules for more building complex specifications [6]. 



Truth Values. The specification Bool for the truth values defines the constants true 
and false along with the usual Boolean operators. 



spec 


Bool 


= 


sorts 


bool 


= true | false 


ops 


not 


: (bool)bool 




and 


: (bool, bool) bool 




or 


: (bool, bool) bool 


vars 


a, b : 


bool 


axioms 







notl : not(true) = false 
not2 : not (false) = true 
andl : and (true, b) = b 
and2 : and(false,b) = false 
orl : or(a,b) = not(and(not(a), not(b))) 

end 



Natural Numbers. The specification Nat defines natural numbers using the construc- 
tors zero and succ . As a short-hand notation, we define the sort nat by a recursive sort 
declaration. The specification Nat extends the specification Bool which is needed for 
the equality predicate. 



spec Nat = Bool ; 
sorts nat = zero \ succ(nat) 

ops eqNat : (nat, nat)bool 

add : (nat,nat)nat 

mult : (nat,nat)nat 
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vars m, n : nat 
axioms 

eqNatl : eqNat(zero, zero) = true 
eqNat.2 : eqNatfzero, succ(m)) = false 
eqNatZ : eqNat(succ(m), zero) = false 
eqNatA : eqNat(succ(m), succ(n)) = eqNat(m,n ) 
addl : add(m, zero) = to. 
add2 : add(m, succ(n)) = succ(add(m,n)) 
multi : mult(m , zero) = zero 
mult 2 : mult(m , succ(n)) = add (m, mult (m,n)) 

end 

The specification Nat is algorithmic, since all operations are defined by structural in- 
duction over the sort nat . 

2.2 Implementing Sets by Boolean Arrays 

In this subsection, we refine the data structure ‘sets of natural numbers’ to a realization 
using Boolean arrays. The transformation illustrates three characteristic refinement steps, 
viz. the introduction of a generation constraint, the reduction of a constructor system, 
and the implementation of a constructor sort by another constructor sort. 



Sets of Natural Numbers. The specification FinSet describes sets of natural numbers. 
The operation addElem inserts an element into a set, union forms the set union, and 
memb tests whether an element is contained in a set. The sort set is specified as a loose 
sort imposing no generation constraint. 

spec FinSet = Bool + Nat ; 
sorts set 

ops emptySet : set 

addElem : (nat, set)set 
union : (set, set)set 
memb : (nat, setfbool 
vars m, n : nat, r,s,t : set 
axioms 

union comm : union(r,s) = union(s,r) 
union aS soc '■ union(union(r, s),t) = union(r,union(s,t )) 
unionl : union(s, emptySet) = s 

union2 : union(s, addElem(m,t)) = addElem(m, union (s,t)) 
membl : memb(m, emptySet) = false 

memb2 : memb(m, addElem(n, s)) = or(eqNat(m,n),memb(m,s)) 

end 



Introducing a Generation Constraint. Heading towards an algorithmic axiomatiza- 
tion, we first impose a generation constraint on the sort set confining the corresponding 
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carrier to finite sets of natural numbers. In a straightforward approach, we can take the 
collection of all function symbols with result sort set as the constructor system. We refine 
the loose sort set in specification FinSet to a constructor sort introducing a recursive 
sort declaration: 

spec FinSet = Bool + Nat ; 

sorts set = emptySet \ addElem(nat , set) | union (set, set) 

ops memb : (nat, set)bool 

vars 

end 

Each interpretation of the carrier of the sort set requires to be finitely generated by the 
three constructors emptySet , addElem , and union . 

Reducing a Constructor System. A closer look at the axioms of specification FinSet 
reveals that each formation of a set involving the constructor union can be transformed to 
a formation using solely the constructors emptySet and addElem . Thus we can reduce 
the constructor system dropping the constructor union in the next refinement step: 

spec FinSet = Bool + Nat ; 
sorts set = emptySet \ addElem(nat, set) 
ops union : (set, set)set 
memb : (nat, set)bool 

vars 

end 

Constructor Translation. After these two refinement steps, the resulting specification 
FinSet is algorithmic, yet the constructors prevent an efficient implementation of the 
functions involved. Therefore we aim at implementing the data structure ‘finite sets of 
natural numbers’ by Boolean arrays. 

To this end, we introduce the specification BoolArray defining arrays of truth values 
indexed by natural numbers. The operation put writes a Boolean value to an array at a 
given position, the operation lookup reads the element stored at a position. 

spec BoolArray = Bool + Nat ; 

sorts array = init \ put(array, nat, bool) 

ops lookup : (nat, array) bool 

vars b, c : bool, m,n : nat, a : array 

axioms 

put 1 : put(put(a,m.,b),n,c) = 

if eqNat(m, n) then put (a, n, c) else put (put (a, n, c),m, b) 

lookup 1 : lookup(m, init) — false 

lookup2 : lookup(in, put(a, n, b)) = if eqNatfm, n) then b else lookup(m, a) 



end 
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Now we embed the abstract sort set into the concrete sort array by translating all 
constructor terms of sort set into terms of sort array . To this end we specify the sort 
set as array and describe the translation by the equations 



emptySet = init 

addElem(m. , s ) = put(s, to, true ) . 



As a consequence the former constructors emptySet and addElem become operations. 
Then we replace all occurrences of the former constructor terms of sort set in the 
axioms by a translated term of sort array and keep the remaining term structures. With 
this refinement step, we obtain the following result: 



spec FinSet = Bool + Nat + BoolArray ; 
sorts set = array 

ops emptySet : set 

addElem : ( nat,set)set 
union : ( set,set)set 
mernb : {nat, set)bool 
vars m, n : nat , r,s,t : set 
axioms 



empty Setl 
addEleml 
UTliOTl comm 
union ass0 c 
unionl 
union2 
membl 
memb2 



emptySet = init 

addElemfrn , s) = putfs, to, true) 
union(r,s) = union(s,r) 
union {union (r, s) ,t) = union(r, union(s,t)) 
union{s, init) = s 

union(s, put(t , to, true)) = put(union(s, t),m, true) 
memb(m , init) = false 

memb(m,put(s,n,true)) = or(eqNat(m,n),memb(m,s)) 



This example illustrates that the implementation of data structures involves refinement 
steps touching different algebraic notions. This small scale example also shows the 
complexity of the refinement steps which manifests the need both for a unifying theory 
and a reliable interactive tool. The reader is invited to trace the sequence of elementary 
syntactic manipulations that are needed to completely mechanize the refinement steps 
sketched so far. 



2.3 Implementing Stacks by Arrays with Pointers 

The preceding subsection illustrated three special refinement steps for data structures 
which leave the signature of the specification unaffected. In the second example we 
now address the general notion of algebraic implementation. We revisit the well-known 
implementation of stacks by pairs of an array and a pointer. In this refinement step, a 
constructor sort is embedded into a derived sort built from two constructor sorts. In the 
sequel we concentrate on the manipulations necessary to perform this change of the data 
structure in a sound way. 
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Stacks of Natural Numbers. The specification Stack defines stacks with elements of 
sort elem . Stacks are constructed from the empty stack emptyStack by successively 
pushing elements to the stack. The operation top reads, the operation pop removes the 
first element of a nonempty stack. 



spec 


Stack 


= Nat ; 


sorts 


elem 

stack 


= emptyStack \ push{elem, stack) 


ops 


error 


elem 




top 


{stack) elem 




pop 


{stack) stack 


vars 


e : elem, s : stack 


axioms 


topi 


top {empty Stack) = error 




top2 


top{push{e, s)) = e 




pop 1 


pop{empty Stack) = emptyStack 




pop 2 


pop{push{e, s)) = s 



end 



Arrays. The implementation of stacks by arrays is based on the following specification 
ElemArray defining arrays of elements indexed with natural numbers: 

spec ElemArray = Bool + Nat ; 
sorts elem 

array = init \ put{array, nat, elem) 
ops error : elem 

lookup : {nat, array) elem 
vars e, / : elem, m, n : nat, a : array 



axioms 

put! : put{put{a, m, e),n, f) = if eqNat(m, n) then put{a, n, f) 

else put{put{a, n, f),m, e) 

lookup 1 : lookup {m, init) = error 

lookup2 : lookup {m, put {a, n,e)) = if eqNat(m,n ) then e else lookup{m,a) 



Constructing an Algebraic Implementation. For implementing stacks by pairs of an 
array and a natural number, we first introduce a new sort name for the chosen represen- 
tation: 

sorts stack new = {nat, array) 

The relationship between the abstract sort stack and the concrete sort stack new is defined 
by a representation function and/or an abstraction function [ 17] . These functions relate 
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abstract stacks constructed by emptyStack and push to their representation as pairs 

( nat , array ) : 

ops repr : (stack) stack new 
abstr : (stack new ) stack 



For each function symbol involving the sort stack , we introduce a corresponding func- 
tion symbol operating on the implementation sort stack new : 



ops empty Stack new : stack new 

pash new . (elan i stack new) stack new 
top new '■ (stack new ) elem 

POP new ' (stack new) Stack ne w 

The functions on the implementation level must show a similar behaviour as the functions 
on the abstract level. The relation between the abstract and the concrete function can be 
established using, for example, the abstraction function with the following axioms: 



vars e : elem, s : stack new 
axioms 

emptyStack new : abstr (emptyStack new ) = emptyStack 

push new : abstr(push new (e, s)) = push(e, abstr (s)) 
top new ■■ top new (s) = top(abstr(s)) 

PoPnew : abstr (pop new (s)) = pop(abstr(s)) 

Using standard derivation steps from transformational programming like fold, unfold 
and case analysis, these equations can be transformed into an algorithmic form, if a 
suitable axiomatization of the abstraction function is provided. Finally, the derivation 
reaches the following specification after renaming the constituents: 

spec StackBy Array = Bool + Nat + ElemArray ; 
sorts elem 

stack = (nat, array) 
ops error : elem 

emptyStack : stack 

push : (elem, stack) stack 
top : (stack) elem 
pop : (stack) stack 

vars e : elem, m : nat, a : array, s : stack 
axioms 

emptyStack 1 : emptyStack = (zero, init) 

pushl : push(e,(m,a)) = (succ(m),put(a,succ(m),e)) 
topi : top(zero, a) = error 
top 2 : top(succ(m),a) = lookup(succ(m) , a) 
pop 1 : pop (zero, a) = (zero, init) 
pop 2 : pop(succ(m),a) = (m,d) 

end 



The data structure refinement presented in this subsection constitutes an algebraic im- 
plementation to be discussed more formally in Section 4 . 
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We will extend the common approach to data structure refinement from first-order to 
higher-order functions. Moreover, we provide powerful transformation rules that refine 
data structures by manipulating algebraic specification in a sound way. For the accom- 
panying conditions, we implemented analysis algorithms which establish the desired 
properties for a wide class of specifications. 

3 Foundations 

We survey the basic concepts of our approach to higher-order algebraic specifications 
to render the subsequent results precise. 

As specification language we use algebraic specifications with a loose constructor 
generated semantics [24] . The theory is extended to higher-order sorts and higher-order 
terms for expressing advanced concepts of functional programming. The approach, sim- 
ilar to [21] and [16] , imposes a generation constraint on sorts to support the constructor 
based specification of data types. Furthermore we introduce subalgebras [22] and con- 
gruences on the carriers of algebras [3] aiming at a refinement relation suitable for data 
structure refinements. Both concepts, subalgebras and congruences are extended to the 
higher-order case. 

3.1 Signatures 

Signatures characterize the interface of a specification by naming its constituents. 

For a nonempty set S of basic sorts, the set S' x,_> of derived sorts comprises S, all 
tuple sorts (si, . . . , s n ) for n > 2 , and all function sorts (si -A s 2 ) defined inductively 
over S . 

A signature S = (S, F, C) consists of 

- a set S = SC U SP of basic sorts composed from a set SC of constructor sorts 
and a set SP of parameter sorts, 

- an S x,_> -indexed family F of mutually disjoint sets F s of function symbols with 
functionality s £ S x , 

- an ,S’ X “'-indexed subfamily C C F of constructors C s with either s £ SC or 
s = (sr — > sc) and sc £ SC . 

For a function symbol f £ F( Sl ^. S2 ) we call si the argument sort and the result 
sort of f . The function symbols in F\C are called operations. In the following we 
will denote basic sorts by sb, constructor sorts by sc , and derived sorts by s . We write 
F = (S, F) for signatures whenever the family of constructors is not relevant in the 
respective context. 

A signature = (Si, Fi) is called a subsignature of a signature S2 = (S2, Ff) , 
denoted by C 27 2 , if S\ C S-2 and F± C _F 2 holds. 

3.2 Signature Morphisms 

Signature morphisms rename sort and function symbols in a compatible way. 

Let Si, S2 be two sets of basic sorts. A sort mapping t : Si — > is extended to 

a sort morphism t : S — > S 2'^ by setting 




